Only allow login with single/main address/username
Do not allow that you can log into the account with every address.
If my account name is john.smith then only allow login with john.smith or john.smith@protonmail.com. Not with finance.john.smith@protonmail.com or any other address.
Perfect would be if you would have the choice what address can be used in order to log into your account.
With the current way you have to give away your login username in order to send emails. Hiding the username from the public would be an advantage, since they would have to guess your username and the password. Not only one of them.
-
Unsatisfied Donkey commented
Its unbelievable that this is still not a feature. I have been reading around the internet and the biggest answer I get is "Proton is a supporter of the idea that security through obscurity isn’t security."
As a paid user? I dont care. I am and I expect my money to going to every bit of security possible, especially if its something that doesnt increase overhead for you and its simple to implement.
For me, my login name is something in no way associated with me and I wish it to be so. I simply dont like the idea of making information like that public. A freakin OUTLOOK can do that. But with proton, as a paid user, I am forced to make my login name public simply by sending an email. I made a switch to proton last year because I wanted to maximise my security. I just learned this is the case and I am starting to regret my decision.
Get yourself together proton. This isnt a feature difficult to implement. Costs you next to nothing.
For people not interested in feature like this, simply make it a toggle in the settings. Not an issue.
-
Jay Newman commented
+1
-
Net Coaster commented
Extremely important feature, please implement it. it shouldn't be that difficult to do that. Obscurity is not security but would prefer that the hackers have 0 of the 3 needed info than 1 of the 3 needed info.
-
Stifler commented
wow, open since 2017 and not fixed?
-
Miko (mīkō) commented
Adding my support and real-world use case... Due to my info being exposed in many data breaches I have abandoned several email addresses. On my MS Outlook account I am able to disable logging in with all but one email address. This email address is dedicated to the purpose of login and is never used for sending emails. This limits the risk of the login email being exposed in data breaches. My login email address does not contain my name or any other PII. As stated already, it would be ideal if logging in could be limited to the "user name" only and or 1 email address. Another way to say this is, I want the ability to disable use of any of my Proton email addresses for the purpose of logging into my Proton account. Hope this helps. Kind Regards, M.
-
ProtonJ commented
Please Proton Team, this should be an easy security feature to add. I hate that any of my email addresses can be used to log into my entire proton account, I should have the ability to use an email that hasnt been exposed externally as my login, thus preventing any brute force attacks on a compromised address.
-
Evil Spider commented
I m shocked that I can login with aliases, this is really bad.. We really need an option to select the login username, especially as more services are linked now.. We use same account for passwords, vpn and mail
-
Essie commented
I was surprised I could login with all my aliases.
They're aliases, not accounts, so I really wish other people couldn't (try) to login with those emails.
I don't want to use randomized email aliases for everything, so that's why I use protonmail aliases for more important things, but dont want the ability to login with those emails... hope they can add an option to turn it off and only be able to login with the account email -
We need to share this as much as possible with the entire Proton Commujnity. This is a very very very important and critical issue.
-
Paul commented
This is critical. Allowing login with any of the alias emails is a serious security risk. I *never* use the primary email in order to protect the account from hacking but Proton undermines this by allowing login using other emails. Please fix this serious risk ASAP.
-
AP commented
I'm back here reaffirming the importance of this feature to me. This feature which I use with Microsoft Account has saved me from attempted hacking / account take over attempts. I can put my "Main" email address out there without that same identifier being the login address for my account.
With data breaches happening all the time and our email information getting put out there, having a way to secure that email account by using an alternative identifier for log in is critical in maintaining account security. Please implement this feature.
-
Rob commented
I literally just signed up for uservoice for the sole purpose of voting for this suggestion. As an Unlimited paid Proton user, I'm reluctant to use any of my other email addresses anywhere because like others have said, it increases the possibility of someone being able to hack into my account. After learning these emails can all be used to log in, I'm going to deactivate the vast majority of them (nullifying one of the big benefits to being a paid customer). Proton, please fix this... pretty please with a cherry on top!
-
Basile commented
You could simply append your username to your password (e.g. SecurePass-john.smith). This way the attacker also needs to guess your username and password.
-
[Deleted User] commented
At the moment when you create an alias there is no way to turn off that alias or main username as a login vector.
You should add the ability to turn off all forms of sign in Usernames/Emails but one. Of a user's choosing.
So, let a user keep his main username/email activated as a login vector and let the user turn off others that they do not want as a login.
Also if a user wants an alias to be his main login let them add it as a login and then let them have an option to turn off their main username as a login vector.
Similar to how Microsoft Outlook lets you choose to turn off any emails and phone numbers as a way to log in.
-
D commented
This feature is of highest importance. It is the only thing I was disappointed about when switching to Proton. Please, Proton, allow us to select which usernames/email addresses can be used to log in.
-
This is a critical issue. Without that, having multiple address is just multiplying the risks...
Please Proton team, make a rule or a setting to only allow login from the "default" address selected. -
Guy8888 commented
If this feature is implemented, I'll be inclined to buy a paid Proton subscription.
It's essential for me that I can have multiple email addresses that can't be used to find my Proton account. Obscurity is the best form of security.
-
Thomas Anderson commented
The things is: using e-mail by definition exposes your username to others. That same username is used to login.
Why would we expose this username externally at all?
A custom username (e.g. 20 or more random characters) being the only credential that can be used prevents this.
-
Thomas Anderson commented
Dear Proton,
First of all thank you for all the great work and efforts, I think you are a fantastic company. For real!
The situation is, many of us may have used our protonmail e-mail addresses in the past to register at external websites (shops etc.) way before Simplelogin was introduced.
Having multiple e-mail addresses that are able to login to the master Proton account increases the attack surface, if a hacker breaches a webshop and obtains our Proton e-mail addresses.
Could we please gain the option to login with a custom username only and disable all login with protonmail.com, proton.me and pm.me e-mail addresses? So the option = only authenticate with 1 custom username.
This way we can create a long secret username that is never shared externally, e.g. in your password manager, and it increases the security because any e-mail addresses that might have been obtained in the various recent breaches are not able to login to the Protonmail account (e.g. if they try to bruteforce it.)
The ideal scenario would be:
Login with password, secret username and 2FA = never shared externally. Only credential with authorization rights to login.
Protonmail / proton.me / pm.me = rarely shared externally. Can only send mail, use Proton functions.
Simplelogin domains = freely shared externally for e-mail purposes, create new alias when compromised and disable old one.
This is not paranoid. Take a look at the news recently. The current cybersecurity climate demands us all to step up our game and remain ahead. Please implement this.
Thanks for reading this far.
-
mih commented
Please implement this feature